Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.5220 ruby-loofah security update 14 September 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby-loofah Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-23516 CVE-2022-23515 CVE-2022-23514 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html Comment: CVSS (Max): 7.5 CVE-2022-23516 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: NIST Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3565-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler September 13, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : ruby-loofah Version : 2.2.3-1+deb10u2 CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516 Debian Bug : 1026083 Multiple vulnerabilities were discovered in Loofah, a Ruby library for HTML/XML transformation and sanitization. An attacker could launch cross-site scripting (XSS) and denial-of-service (DoS) attacks through crafted HTML/XML documents. CVE-2022-23514 Inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. CVE-2022-23515 Cross-site scripting via the image/svg+xml media type in data URIs. CVE-2022-23516 Loofah uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. For Debian 10 buster, these problems have been fixed in version 2.2.3-1+deb10u2. We recommend that you upgrade your ruby-loofah packages. For the detailed security status of ruby-loofah please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-loofah Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmUBzRgACgkQDTl9HeUl XjAMXBAAm1NhBGBxyGR5/4g4/SMXjuqzWzqiYs2NRwmxhpq3v0ALZnwanseNuvtf ryue5Lial9UFCnh7g758bFOmao3UesCtTOdQzDQOkJ0ri247UGEbYd3p2oL3+i8i YSKoKscGiL3RQ+IpfNy25p4oT/6bvPn7FHKGudSRnKhMqYh8ttDi9DweMEjXgPnv XijxcB8KSB6X8dGUZjRXRXsG8KUZOzbvGJzrb//8Fmc7qwZUSJNakS4mENpwYgxN vZB5IfB9p9sB8x/mKyFHD5O/y8hryk5ujnG6F4BfPmL3rWpqxaYXo1ehq8yGqkAy 6t/37RjQv4g2IRC/wjABZjJ1QV69fS4ZIilQG/hQgwUNT89uF15lDHNrCpNU76VF 24zytYqb3OnbiPbmaa0r5VOgPLv+OSB53lLUFz009/OjMHtq2TNPz9rj+7staG/P A2qmUgjx3waBoMYVXgcJ1sUhkf/tOlQVx797EWjiUYl4xxcT2L5rIr4tQzPaW74P MSgJBeSIspOKf5F2vnPuoEKNJt63biH7sbp+CBYFlwcaJ4rS+YHc5W1Lxawm/21I XYtPXpEiw08YLFCc4ITgMcuPUVFIFXYswyG0VaONyLmRjLjT1LlWDCeA69tZ58KP ja+HaaQ6uSir3WEtsLTl1XStK6Ep9h1CBRPxsnY1Hlx6qtkIVn0= =dRUb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZQJmj8kNZI30y1K9AQivYQ/8DjEylaPhO9u2KvRgj3CNVarVSD6QVuMV YLpPYLACUqwwre/Bi2jZsldSw3/LWchZWnK8Dq6QzA8CQzMx8l22wCUHQ+MdR2/H 95igonvDQOZxryrhXSVIwEwDnCZYQZ0mqtBHFck3O5SEnvCc9D/AU0/NjX+B+7UR A+RhRfDbrwotE3hZVJo7suB0c6AFJfs9lGeAUNsY2RLS3cHcAP6ozkvCC2/ogFgX qrZVmspZ9EV4so5R3wm9E35+cshzsVEdb0KJ4nczMqmNgtBLK6HtBjZMIvQbpI05 pFPAMZNaa79mww8XJhiEpoNUBrV3Xnz6pZ1i2nNM55diw6xgOakM7+oVs/wmnBwy NDihm7rO0V/pbr1XgNymvzrjqAiG5BZBkrxZVToAmq4sHkx0z9Ri/KeJr2RN9Y4t EW2n5RN7QkrFXn016dskyieRjsxHgujE2p36SuxrgAKguJPtF3A9oojft+p+cNw7 7RVPavXkBLEXBbSMKVApbnaZJU6d190UGE0oLeKKZqbkUX2NkokEtoThecXg3U5v PTd8B/7Fp1BlIdGhHzt5DdUryh2H2Wpi5G7VxPuBp54lBn93WztsOYx6dz8cfTgE R6qyD6n9ytxfjSYuOxL8fvj5yO5SwPv7LHUSc7IE0SEYWNDUPr262U87hMTjsG0s dkFkD8GjRH4= =YTdR -----END PGP SIGNATURE-----